IASSNS-HEP-95/47; quant-ph:9506012 
One-way Functions In Reversible Computations 



H. F. Chau* and H.-K. Lo f 

School of Natural Sciences, Institute for Advanced Study, Olden Lane, Princeton, NJ 08540 

(February 9, 2008) 



Abstract 

One-way functions are used in modern crypto-systems as doortraps because 
their inverse functions are supposed to be difficult to compute. Nonetheless 
with the discovery of reversible computation, it seems that one may break a 
one-way function by running a reversible computer backward. Here, we argue 
that reversible computation alone poses no threat to the existence of one-way 
functions because of the generation of "garbage bits" during computations. 
Consequently, we prove a necessary and sufficient condition for a one-to-one 
function to be one-way in terms of the growth rate of the total number of 
possible garbage bit configurations with the input size. 
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All presently known classical cryptographic schemes are based on the one-way func- 
tion hypothesis. That is, there exist one-to-one functions that can be computed in times 
polynomial in the number of bits of their input arguments (and hence "efficient") while 
computation of their inverses cannot (and hence "inefficient"). For example, the difficulty 
of eavesdropping in the well-known RSA public key cryptography is based on the observa- 
tion that multiplying two numbers can be done efficiently while no known algorithm based 
on classical computers can factorize a composite number iV into primes in a time which is 
polynomial in logiV Jl|]. Thus, the existence of one-way functions is an important issue of 
crypto-security. 

It has been shown that calculations can be done with reversible machines containing 
only reversible primitives (0-0. One may be tempted by this reversibility to believe that 
one can invert a one-to-one function just by running a reversible computer backward. If this 
were true, the computation of the inverse function would be as efficient as the computation 
of the function itself. Such a naive argument seems to suggest that reversible computation 
rules out one-way functions and threatens the security of public key cryptography. In this 
article, however, we argue that reversible logic does not exclude the possibility of one-way 
functions. Their robustness relies on our ignorance of the values of the "garbage bits" in 
computations. The key issue is how the total number of possible garbage bit configurations 
produced in a reversible computation of a function grows with the input size. We define 
an efficient (in a time polynomial in the input size) reversible algorithm for computing a 
function to be controllable if the total number of garbage bit configurations is polynomial in 
the size of the input. It is then straight-forward to show that, given a one-to-one function 
/ that can be computed efficiently, a necessary and sufficient condition for it to be one-way 
is that it cannot be computed by any controllable algorithm. 

Computation as it is currently carried out by electronic digital computers destroys in- 
formation. For example, the so-called AND gate has two inputs and one output. When the 
output is 0, we lose information because the input can be (0,0), (0, 1) or (1,0). Erasure of 
information is a dissipative process which costs energy. Incidentally, this observation leads 

2 



to the first correct understanding of the Maxwell's demon ||. 

However, Bennett [^,[7] has shown that all logic operations can be performed reversibly 
by adding extra redundancy in both the input and the output. Thus, in principle, one can 
build a computer without internal power dissipation. Consider the Toffoli gate (also known 



first two lines (a and b) act as control and pass through the gate unchanged. The value of 
the third output line (c ) depends on the third input line (c,-) and the control lines (a and 
b), and is given by 



The Toffoli gate is clearly reversible: The input can be deduced from the output by running 
the latter through another Toffoli gate. Moreover, any logic operations can be implemented 
by an appropriate arrangement of the Toffoli gates. For example, by presetting the third 
input line to be zero, the third output bit will implement the logical AND operation on the 
first two input bits. 

The above example illustrates two general features of reversible computations. First, to 
simulate an irreversible logic operation, one is required to preset some of the input bits at 
some particular (and fixed) values. Second, reversible systems produce not only what you 
want in the output (the logical "AND" between a and b in the third output bit), but also 
some "garbage bits". These garbage bits are, however, important. As noted before, the 
function AND is many-to-one. The garbage bits contain the information we need to run the 
computer in reverse. Actually, the Toffoli gate has shown to be able to perform universal 
computation in the sense that every function which is computable by the Turing machine is 
also computable (equally efficiently) by a reversible Turing machine . Moreover, we can 
confine the growth the garbage bits as follows : 

Theorem 1: (Bennett) The number of garbage bits in a reversible machine can be made 
equal to the number of input bits. 



as controlled-controlled-NOT gate) which has three input and three output lines. The 




if a = or b = 



if a = b = 1 



(1) 
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Proof: We represent Bennett's algorithm schematically as 

INPUT + P RESET x + PRESET 2 
— ► OUTPUT + GARBAGE + PRESET 2 
— ► OUTPUT + GARBAGE + OUTPUT 

— > INPUT + P RESET i + OUTPUT . (2) 

First we run the machine forward, giving us the OUTPUT and the GARBAGE. Then we 
can copy down each of the output bits reversibly using a controlled-NOT gate ||. Finally, 
we run the machine backward. In this way, PRESETx are the internal registers used as 
temporary storage whose values are unaltered after the process, PRESET 2 are the preset 
bits used by the controlled-NOT gates, and INPUT in the output lines are regarded as 
"garbage bits" . □ 

Remark 1: Any function / that can be computed efficiently by a universal Turing machine 
can also be computed efficiently by a reversible Turing machine (with a possible slowdown 
by a constant factor) [0,0. Now Theorem 1 shows that / can be computed efficiently by 
an algorithm which produces the same number of garbage bits as the number of input bits. 
Thus, we can always design a reversible algorithm to calculate a given computable function 
/ with the number of garbage bits required at most equals the number of input bits. 

Remark 2: One must distinguish careful between internal registers (PRESETi) and garbage 
bits. The internal registers are used only as temporary storage and they are unchanged at 
the end of a computation. On the contrary, the garbage bits take unknown values at the end 
of a computation. We remark that the number of internal registers needed for a reversible 
computation can be reduced by an elegant hierarchical "pebbling argument" due to Bennett 
PJlOfl . This space-efficient simulation is obtained by breaking the original computation into 
segments and then doing and undoing these segments in a hierarchical manner. Moreover, 
the increase in running time is insignificant. However, this pebbling argument does not 
reduce the number of garbage bits. 
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In some cases, it may be possible to further reduce the number of garbage bits. If the 
function that we are evaluating is one-to-one, the desired output already contains all the 
information needed to deduce the input. No garbage bit is needed to account for the missing 
information. (The computer may still use some internal registers as scratch space during a 
calculation. We only need to make sure that those internal registers are restored to their 
initial values at the end of the calculation.) Given a function /, this machine will take the 
input x to y — f(x) without garbage bits; i.e., INPUT — > OUTPUT. The computation of 
a one-to-one computable function / without garbage bits was discussed by Bennett [§]: 

Theorem 2: (Bennett) Let / be an invertible function. If / and f^ 1 are both computable, 
then there exits a reversible algorithm to compute / without producing any garbage bits. 

Proof: Since every function computable using a Turing machine is also computable using 
a reversible Turing machine, we may assume the existence of reversible algorithms in com- 
puting / and each of them may produce some garbage bits. We now construct a new 
reversible algorithm which sends INPUT to OUTPUT without any garbage bits as shown 
below: 

INPUT + PRESET i + PRESET 2 
— ► OUTPUT + GARBAGEi + PRESET 2 
— ► OUTPUT + GARBAGEi + OUTPUT 
— ► INPUT + PRESET i + OUTPUT 
— ► INPUT + GARBAGE 2 + INPUT 
— ► INPUT + GARBAGE 2 + PRESET 2 

— ► OUTPUT + PRESET ! + PRESET 2 . (3) 

This corresponds to running the / machine forward, (reversibly) copying the output down 
using a number of controlled-NOT gates, then running the / machine backward. After that 
we run the f~ l machine forward and then reversibly erase the input (again by means of 
a series of controlled-NOT gates ||). Finally, we run the / _1 machine backward. Note 
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that PRESET i and PRESET2 can be regarded as internal registers providing scratch space 
during the calculation. □. 

Remark 3: Suppose we have efficient algorithms to compute both / and then it is easy 
to verify that the above "zero garbage-bit algorithm" to compute / is also efficient. 

Reversible computation gives rise to a paradox: a reversible machine seems to given a 
short cut to compute the inverse of a function. By running the machine backward, it takes y 
into f~ l {y) = x. Thus, one may be tempted to believe that the computations of / and f^ 1 
are equally efficient. If this were true, there would be no one-way functions and all classical 
cryptographic systems would be in danger. In view of the widespread usage of public key 
crypto-systems, it is crucial for us to resolve this paradox. (This question is brought forward 



again [1.1 after the recent polynomial time factorization algorithm using quantum computer 



by Shor [12]. And cryptography by quantum mechanical means may be the only secure 



method f|TT - 15[] . We shall return to this point later in this article.) 

The resolution of the above paradox lies in the fact that in general there is no efficient 
way to reduce the garbage (without an efficient way of computing the inverse function and 
we shall elaborate on this point in the proof of Theorem 3). The value of each garbage bit 
may be or 1 depending on the input. However, the values taken by the various garbage 
bits may well be correlated so that when there are k garbage bits, the total number of 
all possible configurations of the garbage bits is in general less than or equal to 2 k . For 
a given OUTPUT, there is only one such combination which is correct in the sense that 
the appropriate input (INPUT) and preset bits (PRESET) can be obtained by running 
the machine backward. That is, OUTPUT + GARBAGE — > INPUT + PRESET. (If 
the function is many-to-one, then there are multiple possible garbage bits combinations 
which are "correct" in general. Each of them corresponds to a pre-image of the function.) 
To efficiently compute the inverse function, we must be able to control the growth of the 
number of possible garbage bit configurations. This leads us to the following definition. 

Definition 1: An efficient reversible algorithm to compute / is said to be controllable if and 
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only if all the potential values of the garbage bits are known and the total number of possible 
garbage bit configurations scales like a polynomial function of the number of input bits. 

Remark 4'- The number of different possible garbage bit configurations depends greatly on 
the reversible algorithm. The trick by Bennett 0] that we have described in Theorem 1 
above is in general not effective enough to control the growth of the number of possible 
garbage bit configurations. The pebbling argument discussed in Remark 2 is not useful 
neither. 

With the concept of a controllable algorithm in mind, we can prove a theorem which 
measures the difficulty in computing an inverse function. 

Theorem 3: Given a one-to-one function / which can be computed efficiently, then the 
following statements are equivalent: 

(a) / is not a one-way function; 

(b) there exists an efficient algorithm to compute f(x) without generating any garbage 
bits; 

(c) there exists an efficient algorithm to compute f(x) with the number of garbage bits 
that scales as the logarithm of the input bit length; and 

(d) f(x) can be computed by a controllable algorithm. 

Proof: (a) =>■ (b) is just a direct application of Theorem 2 and Remark 3. Besides, it is 
easy to see that (b) =>■ (c) =>- (d). To show the equivalence of the above four statements, it 
remains to prove that (d) => (a). 

We fix the OUTPUT to be the configuration that represents y. Then x = f~ l (y) 
is obtained in the following way. First, we set the garbage bits to one of the possible 
configurations before running the machine backward. It is clear that if the values of the 
preset bits agree with the ones we have used when we run the machine forward, then the 
input bit configuration is in the pre-image of OUTPUT under the function /. Since / is 
one-to-one, we can conclude that the input bit configuration corresponds to x = 
Thus, we test if the values of the preset bits agree with the ones we have used when we run 
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the machine forward. If they agree, then reading out the INPUT will give us the value of 
x, and we are done. If not, we run the machine forward again, and then (reversibly) replace 
the garbage bits by another possible configuration (by means of a table). This process 
is repeated until the preset bits agree with the ones we have used. Since all the potential 
garbage bit configurations are known and their total number is at most a polynomial function 
of the input bit length, the above reversible algorithm is efficient. Thus, / is not a one-way 
function. This completes the proof. □ 

Remark 5: An efficient algorithm for f^ 1 is obtained provided that we can find an efficient 
way to "control" the growth of the number of garbage bits. Besides, Theorem 3 tells us 
that finding an efficient way to control the growth a garbage bits is as difficult as finding 
an efficient way to compute the inverse function itself. In other words, Theorem 3 states 
that, given a one-to-one function that can be computed efficiently, a necessary and sufficient 
condition for it to be one-way is that it cannot be computed by any controllable algorithm. 
Therefore, reversible computation does not rule out one-way function. It only makes its 
definition more precise. 

Remark 6: Even if the garbage bit configuration is known, the method use in Theorem 3 to 
compute the inverse function is only as efficient as computing the function / itself. Other 
algorithms (if any) have to be used if we demand an algorithm of computing f" 1 which is 
more efficient than computing /. 

It is instructive to give an example of a function that can be computed by a controllable 
algorithm. 

Example 1: Consider the reversible algorithm of sending x to x + 1 mod 2 n as shown in 
Figure 1. Obviously, the algorithm is efficient. The number x is encoded in the binary 
representation (a„_ia n _ 2 • • -aia ), and q (i = 1,2, ... ,n — 2) are the garbage bits use to 
keep track of the carries. Since ao can be used as a carry for the least significant digit, there 
is no need to invoke Cq. It is straight forward to see that the possible values for the output 
garbage bits are (c n _ 2 c n _ 3 ••• ci) = (00 • • • 00), (00 • • • 01), (00 • • • 11), . . . , (11 • • • 11). Thus 
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the total number of possible garbage bit configurations grows linearly with the number of 
input bits n and hence the algorithm is controllable. 

Remark 7: Similarly, it can be shown that the reversible algorithm of adding two numbers 
modulo 2 n (i.e., a + b + PRESET — ► (a + b) + b + GARBAGE) requires 0(n 2 ) garbage 
bits. The total number of possible garbage bits configurations grows as 0(n 2 ), and hence 
the algorithm is controllable. Thus, once a + b and b are given, a can be found efficiently 

It is difficult to give examples of functions that are efficiently computable only by al- 
gorithms that are not controllable because showing their existence would be equivalent to 
proving the (still un-proven) one-way function hypothesis. 

We remark that reversible computation is quite common in microscopic chemical reac- 
tions. DNA copying in nature may be regarded as a special form of reversible computation. 
Extensive works have been done recently to explore the power of massive parallelism in DNA 



computation [16,17 



In recent years, a new quantum theory of computation has been developed [§.|T^.|T^]. A 
quantum computer can follow many distinct computation paths simultaneously and produce 
a final output depending on the interference of all of the paths. In particular, the Shor's 
efficient quantum algorithm to factor large composite numbers []12) challenges the existence 
of one-way functions and threatens the security of public key crypto-systems. It has been 
suggested that perfect security can be achieved only by quantum cryptography [|TT| ,|T3HT5|] . 
Unlike classical cryptography which is based on the unproven one-way function hypothesis, 
quantum cryptography is unbreakable because it relies on the "no-cloning theorem" of non- 
orthogonal states in quantum mechanics. Nevertheless, quantum cryptography requires 
quantum coherence which is technologically difficult to maintain over long distances. For 
example, a quantum particle transmitted from the Voyager spacecraft back to the Earth 
will undoubtedly lose its coherence due to interactions with solar wind on its way. In the 
foreseeable future, the widespread usage of classical cryptography is likely to continue. It 
is, therefore, important to examine the robustness of the one-way function hypothesis. And 
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we have shown in this article that this hypothesis is consistent with the classical reversible 
computers. 

A simple remark is in order. For a quantum computer to speed up computation, it is 
crucial for the various computational paths to interfere with each other. In other words, 
new quantum algorithms are needed to exploit the massive "quantum parallelism" . If we 
are to run a classical algorithm (devised for classical reversible computers) in a quantum 
computer, it is well-known that there will be no speed up. (Compare with Remark 6) For 
such an algorithm, the best thing we can do is to prepare some superpositions of garbage bits 
configurations and run the quantum machine backward. Then we make a measurement on 
the preset bits to see if they agree with the ones we will use when we want to run the machine 
forward. On average, the number of trials we have to perform before an agreement is made 
scales exponentially with the number of garbage bits. Thus, this method is inefficient in 
general. 
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FIGURES 

FIG. 1. An reversible algorithm for adding unity modulo 2 5 . Algorithm for adding unity modulo 
2 n can be constructed in a similar way. The number is encoded as (0403020100). The Cj are the 
garbage bits, which is used to keep track of the carry. Standard reversible logic notations are used 
where © denotes negation, and • denotes a controlling bit. For example, the first and the second 
operations in this figure are the controlled-controlled-NOT and controlled-NOT gates respectively. 
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